search for: rootca

On Wed, 15 Jun 2016, John R Pierce wrote: > On 6/15/2016 6:47 AM, Jerry Geis wrote: >> How do I get past this? I was looking to just self sign for https. > > in my admittedly limited experience with this stuff, you need to create your > own rootCA, and use that to sign your certificates, AND you need to take the > public key of the rootCA and import it into any trust stores that will be > used to verify said certificates. If you don't do this, then there's no real point using SSL at all, and you *should* be forced to overrid...

...user = postfix } user = vmail } service pop3-login { inet_listener pop3s { port = 0 } } service quota-warning { executable = script /usr/local/bin/quota-warning.sh unix_listener quota-warning { user = vmail } user = vmail } ssl = required ssl_cert = </etc/ssl/RootCA/certs/192.168.50.101.pem ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA ssl_key...

...ce, you would rely on Microsoft to sign SB related >> content. >> >> > now, does Microsoft have to sign each released module themselves, or will > they issue a CA cert to an authorized OS creator, like RH, then let RH > sign their own modules? > > EG, Microsoft RootCA -> Signed Package > vs, Microsoft RootCA -> RH Child CA -> Signed Package .... > > I believe Microsoft signs the shim which then becomes the trusted authority and embeds RH (or CentOS) signing cert, so (I believe) every release of the shim needs to be signed by Microsoft...

I followed the instructions here https://wiki.centos.org/HowTos/Https Checking port 80 I get the file... curl http://localhost/file.html <HTML> <FORM> Working </FORM> </HTML> Checking port 443 I get and error curl https://localhost/file.html curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here:

On 02/08/2020 16:26, Valeri Galtsev wrote: > > On the side note: it is Microsoft that signs one of Linux packages now. We seem to have made one more step away from ?our? computers being _our computers_. Am I wrong? > > Valeri > Microsoft are the Certificate Authority for SecureBoot and most SB-enabled hardware (most x86 hardware) comes with a copy of the Microsoft key

...in { > inet_listener pop3s { > port = 0 > } > } > service quota-warning { > executable = script /usr/local/bin/quota-warning.sh > unix_listener quota-warning { > user = vmail > } > user = vmail > } > ssl = required > ssl_cert = </etc/ssl/RootCA/certs/192.168.50.101.pem > ssl_cipher_list = > EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SH...

...in { > inet_listener pop3s { > port = 0 > } > } > service quota-warning { > executable = script /usr/local/bin/quota-warning.sh > unix_listener quota-warning { > user = vmail > } > user = vmail > } > ssl = required > ssl_cert = </etc/ssl/RootCA/certs/192.168.50.101.pem > ssl_cipher_list = > EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SH...

On 6/15/2016 6:47 AM, Jerry Geis wrote: > How do I get past this? I was looking to just self sign for https. in my admittedly limited experience with this stuff, you need to create your own rootCA, and use that to sign your certificates, AND you need to take the public key of the rootCA and import it into any trust stores that will be used to verify said certificates. -- john r pierce, recycling bits in santa cruz

...into the > MOK list on every device, you would rely on Microsoft to sign SB related > content. > > now, does Microsoft have to sign each released module themselves, or will they issue a CA cert to an authorized OS creator, like RH, then let RH sign their own modules? EG, Microsoft RootCA -> Signed Package vs, Microsoft RootCA -> RH Child CA -> Signed Package .... -- -john r pierce recycling used bits in santa cruz

On 8/2/20 1:19 PM, John Pierce wrote: > One of the things that bugs me about PKI trust chains like this, what > happens if the unthinkable happens, and Microsoft's RootCA gets compromised > and has to be revoked... does that mean every single piece of UEFI > hardware out there needs a BIOS upgrade? Yes.? They'll be vulnerable to malware signed by the old CA until they're updated. That's better than systems without a PKI trust chain, which are...

...BEGIN CERTIFICATE----- ... omitted for brevity -----END CERTIFICATE----- subject=/CN=kvm999.example.com issuer=/C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=intca1.example.com --- Acceptable client certificate CA names /C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=intca1.example.com /C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=rootca.example.com --- The "Server certificate" and "Acceptable client certificate CA names" look right. The problem is that the certificate chain is just the single server cert and does not include the intermediate cert or root cert. As a result clients from other intermediate CAs f...

Hi list, Same wish here! I'd like my users to change their password using LTB (great tool) but since 4.2.10 (debian jessie) I lost the connection to samba4. I tried using TLS and port 636 in LTB's config.inc.php with a dedicated user and put the self signed AC from private/tls but it didn't work. Before the upgrade, i was on samba 4.1.17 (debian jessie) and simple bind on port 389

...tarting up Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=adminms at ppgk.com.pl/emailAddress=adminms at ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Invalid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin at ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/CN=RootCA/emailAddress=admin at ppgk.com.pl Jul 7 14:33:57 ppgk-wa dovecot: pop3-login: Valid certificate: /C=PL/ST=Mazowieckie/L=Warszawa/O=PPGK/OU=Z10/C...

I dont know LTB or what it exact is, but Add in /etc/ldap/ldap.conf TLS_REQCERT allow Setup your own "rootCA" like this. ( if not done, apt-get install ca-certificates ) mkdir -p /usr/local/share/ca-certificates/chrono mv /etc/ssl/ca_chrono-dom.lan.pem /usr/local/share/ca-certificates/chrono update-ca-certificates ! MUST BE /usr/local/share/ca-certificates else its not picked up with the update-ca...

...E.BRK ???????server role = active directory domain controller ???????workgroup = JUE ???????dns forwarder = 8.8.8.8 ???????idmap_ldb:use rfc2307 = yes ???????tls enabled ?= yes ???????tls keyfile ?= tls/dc01.jue.brk.key ???????tls certfile = tls/dc01.jue.brk.crt ???????tls cafile ??= tls/rootCA.crt ???????template shell = /bin/bash ???????template homedir = /home/%U ??idmap config * : ?????????????backend = tdb ??idmap config * : ?????????????range ??= 3000-7999 ??idmap config JUE : backend = ldap ??idmap config JUE : range ??= 100000-999999 ??template shell = /bin/bash ????????...

...gt; recognizes only crt files, man update-ca-certificates) > Thank you Louis. > > Le 11/05/2016 10:45, L.P.H. van Belle a écrit : >> I dont know LTB or what it exact is, but >> >> Add in /etc/ldap/ldap.conf >> TLS_REQCERT allow >> >> Setup your own "rootCA" like this. >> ( if not done, apt-get install ca-certificates ) >> >> mkdir -p /usr/local/share/ca-certificates/chrono >> mv /etc/ssl/ca_chrono-dom.lan.pem >> /usr/local/share/ca-certificates/chrono >> update-ca-certificates >> >> ! MUST BE /usr...

...n controller > ???????workgroup = JUE > > ???????dns forwarder = 8.8.8.8 > > ???????idmap_ldb:use rfc2307 = yes > > ???????tls enabled ?= yes > ???????tls keyfile ?= tls/dc01.jue.brk.key > ???????tls certfile = tls/dc01.jue.brk.crt > ???????tls cafile ??= tls/rootCA.crt > > ???????template shell = /bin/bash > ???????template homedir = /home/%U > > ??idmap config * : ?????????????backend = tdb > ??idmap config * : ?????????????range ??= 3000-7999 > ??idmap config JUE : backend = ldap > ??idmap config JUE : range ??= 100000-999999...

...e * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=repo.local,OU=OU,O=Enterprise,L=City,ST=Country,C=DE * start date: Okt 09 14:31:40 2017 GMT * expire date: Aug 18 14:31:40 2027 GMT * common name: repo.local * issuer: CN=ROOTCA f?r xxx,OU=OU,O=Enterprise,L=City,ST=Contry,C=DE > GET /v1/users/ HTTP/1.1 > User-Agent: curl/7.29.0 > Host: repo.local:5000 > Accept: */* > < HTTP/1.1 404 Not Found < Content-Type: text/plain; charset=utf-8 < Docker-Distribution-Api-Version: registry/2.0 < X-Content-Type...

...believe) every > release of the shim needs to be signed by Microsoft. So it's not quite > as efficient as MS signing a RH/CentOS CA key, but is not far off. > One of the things that bugs me about PKI trust chains like this, what happens if the unthinkable happens, and Microsoft's RootCA gets compromised and has to be revoked... does that mean every single piece of UEFI hardware out there needs a BIOS upgrade? and don't UEFI bios updates have to be signed too? -- -john r pierce recycling used bits in santa cruz

On Sun, Aug 2, 2020 at 3:54 PM Gordon Messmer <gordon.messmer at gmail.com> wrote: > On 8/2/20 1:19 PM, John Pierce wrote: > > One of the things that bugs me about PKI trust chains like this, what > > happens if the unthinkable happens, and Microsoft's RootCA gets > compromised > > and has to be revoked... does that mean every single piece of UEFI > > hardware out there needs a BIOS upgrade? > > > Yes. They'll be vulnerable to malware signed by the old CA until > they're updated. > > That's better than syst...